Learn how to optimize 3DS and provide maximum security to your customers while delivering a great and effective checkout experience.
The European Union Strong Customer Authentication (SCA) standards are now mandatory for all European online transactions. SCA was introduced to protect consumers from fraud as part of the EU’s Payment Security Directive 2 (PSD2) regulations.
To comply with the regulations, all card issuers and banks must add two-factor authentication for all card payments made by EU-based shoppers. Some exemptions may apply, but merchants shouldn’t rely on them when accepting online payments in Europe.
Under the previous regulations governing payment security in Europe, a protocol known as 3D Secure 1.0 (3DS 1.0) was used to verify digital payments. The new regulations require an updated version of the protocol called 3D Secure 2.0, which makes it easier for financial institutions to collect and process customer payment information following SCA requirements. This enables e-commerce companies to achieve the highest approval rates and reduce the risk of a transaction being declined due to non-compliance.
Many merchants believe that the more security checks there are in the checkout flow, the more likely there are to be technical issues and the less likely customers are to complete their purchase. However, implementing 3DS doesn’t have to negatively impact online transactions – in fact, when integrated correctly and well-optimized, 3DS can enhance the customer experience.
Read this article to learn how to optimize 3DS and provide maximum security to your customers while delivering a great checkout experience.
Table of contents:
What does the 3DS flow look like?
3D Secure: A trade-off between convenience and security?
3D Secure 2.0 (3DS 2.0) is a protocol designed to improve the exchange of online transaction data and protect consumers. It is an improved version of the original “Three Domain Secure” (3DS) authentication used by card issuers and acquirers in accordance with specific card schemes such as MasterCard and Visa. 3DS 2 safeguards against potential fraud and chargebacks.
3DS works based on a three-domain model:
All of these parties engaged in a transaction are authenticated using digital certificates via Secure Sockets Layer (SSL) protocol and Extensible Markup Language (XML) messages.
When a buyer inserts their card information, the merchant receives their request and enrolls them via a three-desired-step flow.
Once the issuer receives a payment request, they can review contextual data, including the type of product within the purchase, the buyer’s shipping location, device type, etc.
At this point, the issuer might deem the information sufficient to approve or deny the transaction. Otherwise, they may request the buyer to prove their identity with additional information such as face recognition or fingerprints. The issuer decides which challenge the customer needs to perform – face recognition, fingerprinting, or a one-time verification code.
Finally, after providing the requested information in the validation step, the issuer approves or denies the transaction.
(3D Secure support graphic – What is 3D Secure 2.0 and how does PayU support merchants to comply with 3DS).
As with any security measure, 3DS 2 is not free from disadvantages. In Europe, the challenges of 3DS implementation arise primarily from the failure to complete payment flows. Many banks lack some requirements, such as responsive web design, two-factor authentication, and other technological conditions significantly affecting customer experience. For instance, such organizations are required to perform two-step authentication flows, which means that a one-time passcode is insufficient and requires an additional step. The added step turns out to be tricky: even the most advanced banks – ones that have implemented the two-stage verification – lose a hefty percentage of transactions due to 3DS.
Failure to meet these requirements has plummeted conversion rates by 3.5%.
As expected, 3DS 2 poses challenges to the customer experience as well. The new requirements may be unfamiliar to many customers initially, potentially increasing abandoned carts at checkout and impacting approval rates.
In fact, if we examine the particular causes of 3DS rejection, we can identify two major defects that occur during the authentication attempt.
1- “Timeout at ACS”
“Timeout at ACS” indicates that the message “SCA Window” appeared on the customer’s screen, but no action was performed. It accounts for 62% of all 3DS authentication error rejections (+10% from the previous year).
2- “Authentication failed”
“Authentication failed” indicates that the user was unable to perform authentication correctly. It accounts for 21% of all 3DS error rejections (-12% compared to the previous year).
Nonetheless, the customer experience can also improve with 3DS 2. According to Visa, thanks to 3DS 2, cart abandonment will drop by 70% and checkout times by 85%. How is that possible? For trusted transactions, payment service providers can enable a frictionless payment journey without asking customers to provide any additional authentication. For any payments that are deemed riskier, providers can ask customers to authenticate with biometrics (fingerprint or facial recognition) or one-time passwords. By using data to their advantage, they can increase approval rates for merchants and offer a seamless payment journey for the majority of transactions.
And here’s the best part: for merchants, 3DS comes with more advantages than just security. Customers are more likely to complete purchases on a website if they feel confident that their payment information is safe. Merchants can reduce disputed transactions and boost sales by implementing 3DS, designed to eliminate sources of fraud.
Our analysis shows that transactions with Strong Customer Authentication (SCA) experience a significant number of rejections and may result in lower approval rates.
PayU allows merchants to accommodate 3DS on all platforms, using payment analytics to monitor and identify decreases in approval rates due to the 3DS verification process. Such insights are crucial for businesses to keep tabs on their performance and take action if they see a drop in approval rates.
A soft decline occurs when a bank confirms the existence of the card but cannot approve the transaction for some reason. For example, strong customer authentication (SCA) may be required (for compliance reasons). A soft decline indicates that this transaction could be approved if the cause of the soft decline was resolved. Payment providers such as PayU assist merchants with soft declines. Indeed, if an issuer rejects a transaction that was processed without 3DS authentication, PayU resends it with 3DS authentication.
To get a realistic picture of transaction rejections and keep their business safe, merchants need an anti-fraud system that assesses whether transactions are potentially fraudulent or not.
If a transaction is deemed safe, a system like PayU’s solution can carry out 3DS 2 exemption to improve the approval rates. Exemptions that can be applied are either low-value transactions (with an amount below 30€ or low risk (TRA) or transactions considered non-fraudulent by the antifraud system.
If the system applies for the exemption, the end customer doesn’t have to undergo a strong customer authentication process. As a result, the merchant can offer a smooth and secure checkout experience, ensuring the highest level of approval rates.
For example. PayU has optimized approval rates for more than 50 merchants in Europe saving approximately 1,000,000 transactions and over $30 million dollars.
While SCA is still mandatory only in European countries, other markets are also becoming interested in the idea of implementing 3DS 2 to improve the security of their payments and deliver a more frictionless customer experience. This is especially relevant since cybercriminals are actively developing new methods for bypassing 3D Secure protocols to commit card-not-present (CNP) fraud. Most commonly, these methods include a combination of phishing attacks (to circumvent 3D Secure) and social engineering. Instead of betting on a direct attack, cybercriminals slowly make their way around the system and craft a social engineering campaign meant to trick consumers into handing over sensitive information such as their card numbers or bank account information.
While security is a key part of e-commerce payments and can today be successfully addressed by modern anti-fraud solutions, businesses need to balance safety and performance. That is why it’s paramount for e-commerce merchants to partner with a high-quality payments provider that will help them to carry out payments securely and optimize security measures such as 3DS 2 to achieve higher approval rates and grow their business.